禁止root这个账号使用SSHD的服务
禁止sssh这个组的用户使用SSHD的服务
禁止lisi这个用户使用SSHD的服务
先创建用户ssh1,ssh2,ssh3,lisi,都设置密码
把ssh1,ssh2,ssh3都加入sssh这个组
vim /etc/ssh/sshd_config
# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin no
DenyGroups ssshd
DenyUsers lisi
service sshd restart #重启服务
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
测试在sssh这个组内的用户还能登录吗?不能了,提示拒绝!
tail /var/log/secure
Jul 9 01:59:10 localhost sshd[2397]: Received disconnect from 192.168.4.160: 0:
Jul 9 01:59:16 localhost sshd[2401]: Received disconnect from 192.168.4.160: 0:
Jul 9 01:59:23 localhost sshd[2403]: Received disconnect from 192.168.4.160: 0:
Jul 9 01:59:30 localhost unix_chkpwd[2406]: password check failed for user (root)
Jul 9 01:59:30 localhost sshd[2404]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.4.160 user=root
Jul 9 01:59:32 localhost sshd[2404]: Failed password for root from 192.168.4.160 port 55464 ssh2
###在日志里可以看到错误的信息
SSH允许本机活LAN内的主机登录
vim /etc/hosts.allow
sshd: 192.168.4.0 127.0.0.1/255.255.255.0
vim /etc/hosts.deny
sshd: ALL